In the clouds…

Cloud whisps

Created by turtlemom4bacon – Used under a creative commons licence 2.0

 

As our school moves into implementing our co-teaching model,  a reoccurring question has been around the topic of assessment and the sharing of information; in particular student assessment observations, assessment results, behaviour tracking and work programs.

Many of our staff have access to iPads and are keen to use these as part of their teaching. Some are exploring the use of Google Docs, some are exploring the Ultranet and some are exploring other options.

The question of privacy and security of information was raised with regards to access to information that is stored within ‘the cloud’.

This lead to me completing a bit of an investigation of DEECD and Victorian Government policies on where we stand with regards to storing information online using Google Docs, Evernote and other web based applications.

I dug through the DEECD ICT Acceptable Use Policy, the iPads for Learning resource booklet, the terms and conditions for using Google Docs, the DEECD guides regarding public records and archives and the Public Record Office Standard for Retention and Disposal of School Records without finding much to help me.

I eventually stumbled across the Office for the Victorian Privacy Commissioner’s information sheet around the use of cloud computing and how it impacts on the Information Privacy Act 2000 (Vic)

Cloud Computing is the term being used for information technology infrastructure that hosts data or applications in the “cloud” – that is, refers to offsite, geographically remote software or data storage accessed via the Internet. Data applications are usually accessed on demand through a web browser instead of being stored on individual computers. Cloud computing technology is increasing being used by Victorian Government Agencies to reduce capital and operational costs….. Cloud Computing also allows departments to pool resources efficiently and quickly.

The part that interest me was the following paragraph:

The Information Privacy Act will only apply where the data stored includes personal information about an identifiable individual.

Based on my interpretation of this, data that would contain even a student’s first name would be considered identifiable.

The information sheet goes on to describe the different types of cloud computing in relation to where the server\s are located or stored. It breaks them up into the following categories:

Private Cloud – within the organisation only – the government hosts the cloud in Victoria and uses cloud technology within its organisation.

Community Cloud –  Within the Victorian Government – a centrally hosted cloud in Victoria that us used by various government Departments and organisations.

Public Cloud – Either within Australia but outside of Victoria (with the data hosted in Australia) or offshore (hosted by a cloud computing service provider whose data servers are located overseas)

Again, based on my knowledge and research, Google Docs and Evernote would be Public Clouds under the definition of the act given that their servers are located around the world.

With regard to the use of public clouds, the information sheet had this to say:

Where the provider is outside of Victoria or offshore, taking reasonable steps to protect personal information from misuse, loss, unauthorised access, modifications or disclosure under IIP4 (IIP4 is ——) is difficult or even impossible. By using the cloud service, the governemnt agency is relinquishing some – if not all – control over their data. This includes being able to control security measures.

As noted above, it is likely that a cloud service provider will be an agent for a Victorian government organisation. This means that if there is a data security breach, the government agency will remain responsible for any breach that occurs. The risks for the Victorian government organisation are compounded when information is stored offshore, as the organisation cannot control who can access the data or any security or encryption methods. There is also a real problem of enforceability or remedying a breach if it occurs in relation to data stored in an offshore server.

Given that many cloud computing service providers are in jurisdictions which do not have similar privacy or data protection laws, if a security breach occurs, an individual in Victoria will be powerless to take action against the cloud service provider and will only be able to complain to the Victorian government organisation, which may similarly be unable to assist due to its lack of control over the data.

Where the cloud server is located offshore, it may also be possible for foreign governments to access the information if that government requires it. For example, the PATRIOT Act and associated anti-terrorism legislation in the United States contain provisions allowing the US Government to access data in specified circumstances, but prohibiting the data custodian notifying anyone. Allowing access to foreign governments could be a breach of the unauthorised access restriction in IPP 4. Depending on the type of information held, foreign governments may also put pressure on the cloud service provider to remove information or stop providing the cloud service in breach of the Information Privacy Act. This could have other serious implications, including under the Public Records Act.

Some cloud service providers may host Victorian government data across servers located in several different jurisdictions (some of which may have privacy laws and some which may not), making data security compliance impracticable. Data might also not reside in one particular place, resulting in confusion if a breach occurs.

 

By this point, my head started hurting and I came to the conclusion that we no longer use our online tools.

Having read a few tweets and blog posts from those who use Evernote and Google Docs and other online tools to assist them in their work, I’m keen to hear how others go about doing this. I’d also love a link or reference to an official DEECD stance on the use of cloud computing.

Can you help ?!?

Do you use Google Docs, Evernote or another cloud based tool for your planning ? Your assessment records ?

Do you have documentations\research that supports their use in Victorian schools ?

 

 

 

 

 

 

 

 

 

 

 

 

One thought on “In the clouds…

  1. Roland Gesthuizen

    I don’t think that foreign powers would be interested in the mind maps that my students generate, I don’t think they would invoke the patriot act to censor an essay typed up using GoogleDocs. Oddly enough, I was berated by a teacher outside the Lincoln Memorial in Washington when taking a photograph as some students had strayed into my camera view. It did make me think about the lines that we draw between our personal lives when we stray into public spaces.

    I do think that teachers and students should not share personal data on the web and this is the scope of your discussion. In fact, a correctly set up Web2.0 account should only disclose a student name as as has been pointed, this could be hidden using a pseudonym and doesnt mean that the work is public. Few online activities require personal information beyond perhaps a gender and age (and these can be further fabricated) to protect and hide an identity.

    It is interesting to consider that my iPhone data is backed up onto an iCloud server, my photos are further backed up on a Google+ server, similarly for my Diigo, OneNote, Evernote and Dropbox files. I give as much thought to where this data physically lives as I do to where my breakfast cereal is grown. My guess is that others in the school community think the same. We probably now store more private data on our pocket devices than in our school administration systems.

    I agree that it gets interesting when we consider that this private data is often better secured online. When encrypted, divided up across different national boundaries then it isn’t a single physical object that can be pointed at. This is rather like looking at a web page that is called into existence when it is searched for and wondering where it came from.

    The end user may be the only entity that really matters and so we should continue ensuring that that we protect the storage and access to any student welfare information, family or personal details, assessment and reporting data. In practical terms, this means that we continue to use the school administration systems and clearly separate this from the more explorative nature of our classroom journeys.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *